Organizations are increasingly shifting to the use of complicated information technology (IT) infrastructures that include computing devices/equipment (e.g., computers, telecommunications equipment, networking equipment, etc.) and software to enhance operations. However, many types of software are subject to security risks (i.e., threats and vulnerabilities). In general, a “threat” is a potential occurrence that can have an undesirable effect on a device resulting in, for example, breaches of confidentiality, theft of data, integrity, a denial of service, etc. “Vulnerabilities” are susceptibilities/flaws in a device (typically software/applications), in a set of procedures, or in anything that creates an opportunity for a threat to occur (i.e., that make it possible for the security of the device and/or organization to be compromised). Vulnerabilities are considered to be at the intersection of a susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Vulnerabilities may arise due to a variety of reasons. For example, large and complex IT infrastructures increase the probability of flaws and unintended access opportunities. Additionally, the use of common code/software, common operating systems, common hardware, poor password management practices, unchecked user inputs, operating system design flaws, software bugs, and increasing network connectivity and/or increased Internet website browsing all increase the probability that an attacker has or can find the knowledge and tools to exploit a vulnerability within an organizations IT infrastructure.